GDPR 101: Understanding the Basics of the General Data Protection Regulation

With 2018 quickly approaching, talks of the EU’s General Data Protection Regulation (GDPR) has increased exponentially. For those of us unfamiliar with the law, it can feel like swimming in murky waters, but because of the huge, international implications and fines, it’s essential for the marketing and technology departments of any firm (including firms not based in Europe) to understand the regulation and how it can affect businesses.

A quick disclaimer: One North is not a law firm nor a legal expert. This blog is meant to guide you through the basics of GDPR itself, not suggest specific actions to take regarding the law.

First off, what is GDPR?
Ultimately, GDPR is a data privacy regulation in the European Union that is aimed at protecting users’ rights and privacy online. The law forces businesses to scrutinize what kind of data they’re collecting and to make that data accessible to users. This law takes effect on May 25, 2018.

There are four key points of the law to familiarize yourself with before any strategizing can begin:

• • Transparent information, communication and modalities for the exercise of the rights of the data subject (Art. 12). This article focuses on creating rules around how users give consent to record their data. This consent must be actionable – for example, through forms and buttons – so it’s likely UX experts will need to get involved to make this experience seem seamless while still obliging by the law.

• • The right to erasure (Art.17). The “right to be forgotten” means firms must be able to remove data on a user at their request within a reasonable time frame.

• • The right to data portability (Art. 20). Users have the right to receive any data a firm may have on them. The firm must provide this information in a readable, commonly-understood format.

• • Security of processing (Art. 32). Firms are expected to follow security best practices across the board when collecting and protecting data. This may include, but isn’t limited to, specific password policies, information security frameworks and data encryption.

What’s at stake?
The penalties for non-compliance are significant. Monetarily speaking, you can be fined up to €20 million or four percent of your global annual turnover, whichever is greater. For firms that make billions a year, this amount can be staggering.

What’s more, non-compliance could have a significant impact on your brand and industry reputation. Taking user security seriously is important, because it proves trustworthiness and reliance, so if the fines aren’t motivation enough, protecting your brand identity should persuade you to tackle the GDPR head on.

My business is based in the United States. Why does GDPR matter to me?
The GDPR’s effect does not stop at EU-based businesses. Instead, all companies that do business, have customers, or collect data from people in the EU are accountable. This law is sweeping, and because your website can be visited by someone in the EU, some experts predict nearly every business across the globe will be affected.

What can I do right now?
The first step you should take is to talk with your general counsel. Your company’s legal team’s interpretation of the law, review of contractual obligations and company’s overall privacy policy will help guide your strategy moving forward.

When you begin taking steps towards compliance, make sure to create a cross-functional team, including those with IT, customer experience, marketing, UX, digital and legal expertise. This way, you’ll have privacy champions across each function in your business as well as the right vendors by your side.

Things to consider:

• • As with any global change, there is a lot of information – and specifically misinformation – about the law. Always check your sources.

• • Much of the law is vague on purpose. One example is the definition of “personal data.” You’ll need to work closely with your legal team to decide how to handle these vagaries.

• • Consider rethinking how you view your digital assets. Just as responsive design set off the “mobile-first” approach to design, this law may create a “privacy-first” mentality for UX-ers, designers and technologists.

Interested in more on GDPR and Privacy Best Practices? Watch #1NWebinar: GDPR & Privacy Best Practices for Digital Marketers. If you’d like to discuss actionable next steps to make your digital assets compliant to the GDPR, learn more here.